[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
- To: Quanah Gibson-Mount <quanah@symas.com>
- Subject: Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
- From: Robert Heller <heller@deepsoft.com>
- Date: Thu, 28 Sep 2017 18:28:44 -0400 (EDT)
- Cc: Robert Heller <heller@deepsoft.com>, Openldap Technical <openldap-technical@openldap.org>
- Dkim-filter: OpenDKIM Filter v2.11.0 sharky3.deepsoft.com 4DB0673214C
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deepsoft.com; s=deepsoft.com; t=1506637727; bh=IHw4t2i1xxCnQzIFvqmDB+tjPDLp4zy/HShb8uV1Vag=; h=From:Subject:In-Reply-To:References:To:Cc:Date:From; b=Y6nFy4KLOCd2nMgZqQie17Zys07hC68NIzm9dRNgdZSmfX9Sad520SpUjYBtbm6WX WD7QPA+oZDyZiBfNSj9V4/y6wckZgo0RbPz4Z4bMP1rFzK3mAA80jpdIDvVq5mIiC9 7h/a8GHY6XgnW+s8C1EeS90Ttg91M+IlSAHooAxo=
- In-reply-to: <5A6DACC51CF6F5156270C77F@[192.168.1.30]>
- Organization: Deepwoods Software
- References: <20170928170817.DE268732A40@sharky3.deepsoft.com> <WM!3841d97ef9fe61874abde790669c89cda7491f751a8d1d42d6fedcad23ad03723369227f2cf988e1296a97f7d1455a45!@mailstronghold-2.zmailcloud.com> <3631C46B10C6A6D96C92A6CA@[192.168.1.30]> <20170928183434.C52377323F2@sharky3.deepsoft.com> <WM!d02d61414b21d1174b6888ab449c4269fa38d934004f76ade936b18cd00ea29eb903d4c22a82e75a76373bb72667b68d!@mailstronghold-3.zmailcloud.com> <5A6DACC51CF6F5156270C77F@[192.168.1.30]>
At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:
>
> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
> <heller@deepsoft.com> wrote:
>
>
> > Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
> > it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
> > something is wrong with slapd's TLS configuration -- it is failing to do
> > TLS Negotiation, either it is just not doing it or it is doing it wrong
> > (somehow). Unless SSSD is not configured properly.
>
> You need to start with the following:
>
> >> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
>
> to test startTLS
>
> and
>
> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
>
> to test without startTLS
>
> If you can get those to work, then you can move on to SSSD.
[heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D cn=Manager,dc=deepsoft,dc=com -W
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension not found.
[heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D cn=Manager,dc=deepsoft,dc=com -W
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The certificate is from my own CA and I *think* I have things set up properly,
but it is a openssl cert and I know that slapd (and sssd) are built with
MozNSS.
ldap.conf contains:
TLS_CACERT /etc/openldap/certs/ca-cert.pem
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
and /etc/openldap/slapd.d/ contains:
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services